Check out these enterprise-ready, open source VPN solutions to meet the needs of any corporation, large or small.

Subscribe now

In recent months, many popular online security and VPN vendors have come under fire after unaddressed vulnerabilities in their products left users open to serious threats.

In early February, the Software Engineering Institute at Carnegie Mellon University posted an advisory warning stating that the Pulse Secure VPN graphic user interface failed to validate SSL certificates when connecting to websites. This left enterprise-level clients open to man-in-the-middle (and other) attacks. While the SSL validation problem has been resolved for Pulse 5.3R4.2 and Pulse 5.2R9, the Carnegie Mellon researchers still warn against using it on untrusted networks.

After suffering from similar vulnerabilities, Cisco Adaptive Security Appliance software resolved its SSL validation problems, but didn't address whether it should be avoided on untrusted networks. These disclosures have left many organizations wondering whether they can trust these industry titans with their sensitive information or if they should abandon VPNs altogether.

Luckily, there are a number of enterprise-level, open source VPN solutions that will meet the needs of any corporation, large or small.

Benefits of OpenVPN solutions

OpenVPN is one of the power players in the online privacy world. It is an open source VPN technology that comes equipped with a 256-AES-CBC with a 2048 bit Diffie-Hellman key for Windows users. For Linux, iOS, and MacOS users, OpenVPN encrypts information via the IKEv2/IPsec protocol with an AES-256-CGM and 3072bit DH key.

In my experience, the Diffie-Hellman key is far more robust than RSA (Rivest, Shamir, and Adelman) due to the fact that it enables perfect forward secrecy, which ensures that past communications and transfers cannot be decrypted in the future even if a long-term key is compromised.

What this means is OpenVPN is one of the most secure open source VPN software options available.

Furthermore, the OpenVPN developer community is one of the most active and vocal in the online security world. Members are constantly refining and updating the software to keep up with the rapidly changing landscape of internet security.

Considering its impressive security specifications and the passionate team behind the software, I encourage corporations to use an OpenVPN-powered security solution, including some of the options on this list, whenever and wherever possible.

The 7 best open source VPN alternatives

Following are seven of the best open source VPN solutions that might work for your enterprise.

Openswan is an IPsec implementation for Linux that supports most IPsec-related extensions (including IKEv2). It's largely been considered the "go-to" VPN software for Linux users since early 2005. Depending on the version of Linux you are running, Openswan may already be in your distribution, and you can download the source code directly from its site if you can't easily locate the software.

The Tcpcrypt protocol is a unique VPN solution in the sense that it requires no configuration, changes to applications, or noticeable shifts in your network connection. Tcpcrypt operates using something known as "opportunistic encryption." This means if the other end of the connection communicates to Tcpcrypt, the traffic will be encrypted, otherwise, it can be seen as cleartext.

While this is far from ideal, the protocol has experienced a number of robust updates that make it more protected against both passive and active attacks. Although I would not recommend Tpcrypt as a company-wide solution, it can serve as a fantastic and easy-to-implement solution for employees and branches that handle less sensitive information.

Tinc is free software that is licensed under the GNU General Public License. What sets tinc apart from the other VPNs on this list (including the OpenVPN protocol) is the variety of unique features it includes, including encryption, optional compression, automatic mesh routing, and easy expansion. These features make tinc an ideal solution for businesses that want to create a VPN out of numerous smaller networks based far apart.

SoftEther (short for software Ethernet) VPN is by far one of the most powerful and user-friendly multi-protocol VPN software options on the market. Positioned as the ideal alternative to OpenVPN, SoftEther VPN has a clone function for the OpenVPN server allowing you to seamlessly migrate from OpenVPN to SoftEther VPN. SoftEther's impressive security standards and capabilities are considered comparable to market leaders such as NordVPN, making it an open source powerhouse.

SoftEther is also compatible with the L2TP and IPsec protocols, enabling added customization. Furthermore, SoftEther VPN has proven to be even faster than OpenVPN, improving the browsing experience. SoftEther's primary drawback is that it lags behind its contemporaries in terms of compatibility. However, the lead cause of this issue is the relative novelty of the SoftEther protocol and, as time goes on, you will likely see more and more platforms supporting SoftEther.

Considering that OpenConnect was a VPN client created to support Cisco's AnyConnect SSL VPN, you might be surprised to see this software on the list (after all this is an article detailing alternatives to Cisco and Pulse). However, it's important to note that OpenConnect is not officially associated with Cisco or Pulse Secure. It's simply compatible with their equipment.

In fact, redevelopment of OpenConnect started after a trial of the Cisco client found it to have numerous security vulnerabilities, which OpenConnect set out to rectify. Today OpenConnect has addressed all of the Cisco client deficiencies (and more), making it one of the leading Cisco alternatives for any Linux user.

After more than 15 years of active development, Libreswan has created one of the best open source VPN alternatives on the modern market. Libreswan currently supports the most common VPN protocols, IPsec, IKEv1, and IKEv2. Like Tcpcrypt, Libreswan operates based on opportunistic encryption, making it vulnerable to active attacks. However, the plethora of security features and the active developer community make Libreswan a great option for low-mid grade encryption requirements.

Maintained by Andreas Steffen, a professor for security in communications and the head of the Institute for Internet Technologies and Applications at the Swiss University of Applied Sciences Rapperswil, strongSwan has carved a name for itself in the VPN community by offering exceptional encryption standards, easy configuration, and IPsec policies that support large and complicated VPN networks.

Conclusion

Although the recent vulnerabilities revealed in the Cisco and Pulse Secure networks are troubling (to say the least), there are numerous open source alternatives that are suitable on the enterprise level. While implementing these solutions will require significant technical savvy and a high degree of company-wide cooperation, you can sleep much sounder at night knowing your company's sensitive information is secured by the best protocols available.

Topics

About the author

Sam Bocetta - Sam Bocetta is a retired defense contractor for the U.S. Navy, a defense analyst, and a freelance journalist. He specializes in finding radical solutions to "impossible"​ ballistics problems. He covers trends in IoT Security, encryption, cryptography, cyberwarfare, and cyberdefense.

Footer

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat.

Opensource.com aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. Red Hat and the Red Hat logo are trademarks of Red Hat, Inc., registered in the United States and other countries.